WIXLIB

Front coverSecure Hybrid CloudConnectivity with IBMBluemix and z SystemsJeff MillerSenior Software Engineer,IBM Competitive Project OfficeRedpaper

Cloud-mainframe connections can be secureand reliableThe cloud is a major force in computing today, with leading companies moving more andmore of their information technology (IT) workloads away from their local data centers. It’seasy to see why: Reduced entry cost (less labor, hardware, power, and so on)Simplified infrastructure management, particularly for multi-tiered applicationsAbility to grow and shrink capacity elastically, and with agilitySupport for self-service: New environments brought up and down quickly and easilyOf course, designing applications in multiple tiers is not a new trend. Systems have been splitinto front-end presentation tiers and a back-end business logic or data tiers for years. What’snew is that, influenced by the rise of mobile computing, the tiers have become moreformalized, and are now typically called the System of Engagement (SoE) and the System ofRecord (SoR).Whatever you call them, SoEs and SoRs must react to rapid changes in demand. Spikes inworkload can occur suddenly, with each new and often unpredictable change in userbehavior.This makes the cloud, with its elasticity, ideal for hosting SoEs, whose applications aretypically a primary point-of-contact for thousands (or even millions) of web and mobile users.In contrast, SoR applications, such as databases and transaction managers, are updated lessoften. SoRs require the most stringent security, making them ideal for the mainframe.Therefore, a rapidly emerging pattern is to host the SoE in the cloud, and keep the SoR withthe other important business systems in the company data center, often on a mainframe. Thishybrid cloud design offers elasticity and automation in the SoE, while maintaining the ability totightly manage the security of the SoR.Business data security in the SoR is paramount, and the current IBM mainframes havebeen released with the highest-to-date Common Criteria Evaluation Assurance Level (EAL)ratings for overall security among commercial systems (5 on a 1 - 7 scale). Yet somecompanies wonder if their cloud-based SoE can securely connect to an SoR on enterprisepremises.In this IBM Redpaper publication, we show that the IBM Bluemix cloud platform offerstechnologies that make it easy for cloud-based SoEs to securely connect to on-premises IBMmainframes, creating a fully secure, end-to-end, SoE-SoR environment. Copyright IBM Corp. 2015. All rights reserved.ibm.com/redbooks1

Exposing mainframe assetsEven before addressing the connection to the cloud, you need to know that you can safelyexpose the information assets stored on your mainframe.The mainframe is a strong back-end system, and an open one. Each mainframe serversubsystem, such as IBM WebSphere Application Server, IBM Customer Information ControlSystem (IBM CICS ), IBM Information Management System (IBM IMS ), and so on, offersseveral individual connectivity options.These connectivity options include products, such as IBM IMS Connect for z/OS and IBMCICS Transaction Gateway, in addition to CICS SOAP and Representational State Transfer(REST) web services and RESTful requests to Java code running in the CICS Java virtualmachine (JVM).Fortunately, a newer technology, called IBM z/OS Connect, provides a single, uniform way toaccess these back-end resources. z/OS Connect simplifies mainframe application access byproviding a single application programming interface (API) mechanism, regardless of whichback-end system is involved.z/OS Connect, which is a feature of the IBM WebSphere Liberty Profile, accepts JavaScriptObject Notation (JSON)-based requests over Hypertext Transfer Protocol (HTTP) andforwards them (in the required data format) to the back-end systems using IBM WebSphereOptimized Local Adapters (WOLAs).WOLAs provide high-speed, memory-to-memory data transfer. Responses returned from theback-end systems are converted back to JSON by z/OS Connect, and then sent back to therequester. z/OS Connect can also route requests to IMS using IMS Connect.Figure 1 illustrates these interactions (the arrows show the bidirectional request/responseflows).Figure 1 z/OS Connect provides unified connectivity options, even for batch processing2Secure Hybrid Cloud Connectivity with IBM Bluemix and z Systems

In addition, z/OS Connect provides added value in the form of interceptors, which, amongother capabilities, can provide additional security in the form of auditing, credential validationand conversion, and more. Interceptors can be called in both directions, as shown in Figure 2(the bidirectional arrow on the left side of the figure represents flows from, and back to, callingapplications).Figure 2 z/OS Connect supports pre-invoke and post-invoke interceptors for added security, auditing,and moreIn this way, IBM adds additional security options to protect the mainframe every time an SoEcommunicates with it through z/OS Connect. With an infrastructure like this in place, themainframe is secure. Cloud-based applications can then securely send requests to z/OSsystems if the connection between the cloud and the mainframe can be secured. That’s whereIBM Bluemix enters the picture.Securing the connection to the cloudWith the security of the mainframe well-established, the next link in an end-to-end securityarchitecture is to lock down the communications between the cloud-based SoE and themainframe-based SoR.Bluemix is the IBM Platform as a Service (PaaS) that runs in the cloud and is hosted by IBMSoftLayer , the IBM Infrastructure as a Service (IaaS) offering. Bluemix was initially based onthe open source Cloud Foundry project, and enables developers to easily build and deployapplications by reusing existing components and services. This reuse reduces the need forcustom code.Bluemix offers multiple options for securely connecting to resources outside of Bluemix, suchas to mainframe-based SoRs: IBM DataPower Gateway Secure connectors IBM Secure Gateway for Bluemix3

IBM DataPower GatewayDataPower Gateway is a highly versatile gateway appliance that is typically found in the DMZ1in dual-firewall environments. Bluemix applications can connect directly to DataPowerGateway (whether in the DMZ or within the enterprise’s firewall), after which requests areforwarded to the back-end systems.DataPower Gateway comes in physical and virtual forms, with features that provide highavailability, failover, load balancing, message security, data conversion, and more. It excels atExtensible Markup Language (XML) and RESTful web services processing. Version 7.2 ofthe product enhances cloud and on-premises security with support for Elliptic CurveCryptography, Server Name Indication, and Perfect Forward Secrecy to protect againstmalicious protocol attacks.IBM API Management is an optional feature available with DataPower Gateway. APIs areuseful because they can be configured by developers of on-premises resources and used bydevelopers of cloud applications. DataPower Gateway implements these API mappings, andAPI Management makes mainframe APIs more consumable.Later in this paper, Figure 5 on page 6 shows a Bluemix application calling APIs that havebeen configured by mainframe developers to access mainframe services through z/OSConnect. Other access techniques and APIs can also be used.Secure connectorsSecure connectors establish protected communication between cloud-hosted Bluemixapplications and on-premises systems. Connectors are typically made available as services,which means that they can be called by SoE-based applications whenever needed.In Bluemix, secure connections can be created with the Standard (IBM Cast Iron )Connector, or by using DataPower Gateway as a connector.Standard (Cast Iron) ConnectorThis simple, software-based connector acts as an intermediary between a Bluemixapplication running in the cloud and the back-end mainframe. A secure connection isestablished from the Bluemix application to a Cast Iron orchestration, which then connectssecurely to the on-premises system. In request-response environments, these orchestrationscan provide extra capabilities by calling intermediaries to perform data conversion andother chores.DataPower Gateway as a secure connectorDataPower Gateway can also be used as a secure connector, where it functions within alarger software construct, rather than as a stand-alone appliance as described earlier.Bluemix developers simply configure a service in which DataPower Gateway acts as theconnector endpoint, and then call the service when needed to send requests to and fromon-premises systems.14DMZ is an acronym for demilitarized zone, which was originally a military term but is now also used in computingto represent a common secure construct in which two firewalls are installed. Often there is a reverse proxy serveror a gateway server between the firewalls. Requests from the outside pass through the first firewall, and areprocessed in some way before being passed across the second firewall into the enterprise intranet. Figure 5 onpage 6 shows DataPower Gateway inside the DMZ.Secure Hybrid Cloud Connectivity with IBM Bluemix and z Systems

Figure 3 shows DataPower Gateway being used as the endpoint of a secure connector.DataPower Gateway can be installed either in the DMZ or in the enterprise’s trusted zone(or intranet).Figure 3 Using DataPower Gateway as a secure connectorIBM Secure Gateway for BluemixIBM Secure Gateway for Bluemix is a Bluemix service that enables the hybrid cloud withsecure connectivity, traffic monitoring, and local endpoint mapping to on-premisesapplications and data sources. It creates a secure tunnel between Bluemix applications in thecloud and back-end resources. It is based on web sockets, which are bidirectional, persistentconnections used for sending text and binary data.The Secure Gateway features a dashboard that enables developers and administrators toview usage and performance analytics, manage and monitor gateway topology andconfiguration, and gain visibility into network traffic and endpoints.The Secure Gateway client is remote software2 provided by IBM as a Docker image that canbe run on Linux systems on premises. Docker is an open source, lightweight, portableruntime container for executable code, analogous to a virtual machine but much smaller,because it comes without all of the operating system layers.It’s easy to create a new Secure Gateway with just a few clicks. The predefined Docker-basedclient software can be downloaded and configured to create an on-premises Secure Gatewayclient, and a Secure Gateway service that can be called when needed. In Figure 4 on page 6,the left side of the figure shows a Secure Gateway service in Bluemix, available to Bluemixapplications. On the right side of the figure is an on-premises Secure Gateway client instance.The secure tunnel is established between the client and the service.2The term client here is counterintuitive. In conventional terms, a remote client calls a back-end server or resource.With Secure Gateway, the client is local and is named for how the gateway is instantiated. The Bluemix developer(with Docker already installed on an on-premises machine) simply creates a new Secure Gateway. Bluemixgenerates a unique ID and provides downloadable client code, which the developer installs in Docker. Thisestablishes the Secure Gateway connection back to Bluemix from the on-premises Secure Gateway client.5